The Hacker News — Cyber Security, Hacking, Technology News

Again bad news for consumers with Netgear routers: Netgear routers hit by another serious security vulnerability, but this time more than two dozens router models are affected.

Security researchers from Trustwave are warning of a new authentication vulnerability in at least 31 models of Netgear models that potentially affects over one million Netgear customers.

The new vulnerability, discovered by Trustwave's SpiderLabs researcher Simon Kenin, can allow remote hackers to obtain the admin password for the Netgear router through a flaw in the password recovery process.

Kenin discovered the flaw (CVE-2017-5521) when he was trying to access the management page of his Netgear router but had forgotten its password.

Exploiting the Bug to Take Full Access on Affected Routers

So, the researcher started looking for ways to hack his own router and found a couple of exploits from 2014 that he leveraged to discover this flaw which allowed him to query routers and retrieve their login credentials easily, giving him full access to the device.

But Kenin said the newly discovered flaw could be remotely exploited only if the router's remote management option is enabled.

While the router vendor claims the remote management option is turned off on its routers by default, according to the researcher, there are "hundreds of thousands, if not over a million" routers left remotely accessible.

"The vulnerability can be used by a remote attacker if remote administration is set to be internet facing. By default this is not turned on," Kenin said. "However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces like cafés and libraries using the vulnerable equipment."

If exploited by bad actors, the vulnerability that completely bypasses any password on a Netgear router could give hackers complete control of the affected router, including the ability to change its configuration, turn it into botnets or even upload entirely new firmware.

After trying out his flaw on a range of Netgear routers, Kenin was surprised to know that more than ten thousand vulnerable devices used the flawed firmware and can be accessed remotely.

He has also released an exploit code for testing purpose, written in Python.

List of Vulnerable NETGEAR Router Models

The SpiderLabs researcher stressed that the vulnerability is very serious as it affects a large number of Netgear router models. Here's a list of affected Netgear routers:

R8500

R8300

R7000

R6400

R7300DST

R7100LG

R6300v2

WNDR3400v3

WNR3500Lv2

R6250

R6700

R6900

R8000

R7900

WNDR4500v2

R6200v2

WNDR3400v2

D6220

D6400

C6300 (firmware released to ISPs)

Update the Firmware of your NETGEAR Router Now!

Kenin notified Netgear of the flaw, and the company confirmed the issue affects a large number of its products.

Netgear has released firmware updates for all of its affected routers, and users are strongly advised to upgrade their devices.

This is the second time in around two months when researchers have discovered flaws in Netgear routers. Just last month, the US-CERT advised users to stop using Netgear's R7000 and R6400 routers due to a serious bug that permitted command injection.

However, in an effort to make its product safe, Netgear recently partnered up with Bugcrowd to launch a bug bounty program that can earn researchers cash rewards of up to $15,000 for finding and responsibly reporting flaws in its hardware, APIs, and the mobile apps.

Next time when you see an advertisement of your favorite pair of shoes on any website, even if it is legitimate, just DO NOT CLICK ON IT.

…Because that advertising could infect you in such a way that not just your system, but every device connected to your network would get affected.

A few days ago, we reported about a new exploit kit, dubbedStegano, that hides malicious code in the pixels of banner advertisements rotating on several high profile news websites.

Now, researchers have discovered that attackers are targeting online users with an exploit kit called DNSChanger that is being distributed via advertisements that hide malicious code in image data.

Remember DNSChanger? Yes, the same malware that infected millions of computers across the world in 2012.

DNSChanger works by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by any ISP or organization.

So, whenever a user of an infected system looked up a website on the Internet (say, facebook.com), the malicious DNS server tells you to go to, say, a phishing site. Attackers could also inject ads, redirect search results, or attempt to install drive-by downloads.

The most worrisome part is that hackers have combined both threats in their recent widespread malvertising campaign, where DNSChanger malware is being spread using Stegno technique, and once it hit your system, instead of infecting your PC, it takes control of your unsecured routers.

Researchers at Proofpoint have discovered this unique DNSChanger exploit kit on more than 166 router models. The kit is unique because the malware in it does not target browsers, rather it targets routers that run unpatched firmware or are secured with weak admin passwords.

Here's How the Attack Works:

Once the router is compromised, the DNSChanger malware configures itself to use an attacker-controlled DNS server, causing most computers and devices on the network to visit malicious servers, rather than those corresponding to their official domain.

STUN server then send a ping back containing the IP address and port of the client. If the target's IP address is within a targeted range, the target receives a fake ad hiding exploit code in the metadata of a PNG image.

The malicious code eventually redirects the visitor to a web page hosting DNSChanger, which uses the Chrome browser for Windows and Android to serve a second image concealed with the router exploit code.

"This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials."

List of Routers Affected

The attack then cloaks traffic and compares the accessed router against 166 fingerprints used to determine if a target is using vulnerable router model. According to researchers, some of the vulnerable routers include:

D-Link DSL-2740R

NetGear WNDR3400v3 (and likely other models in this series)

Netgear R6200

COMTREND ADSL Router CT-5367 C01_R12

Pirelli ADSL2/2+ Wireless Router P.DGA4001N

It is not clear at the moment that how many people have been exposed to the malicious ads or how long the campaign has been running, but Proofpoint said the attackers behind the campaign have previously been responsible for infecting more than 1 million people a day.

Proofpoint did not disclose the name of any ad network or website displaying the malicious advertisements.

Users are advised to ensure that their routers are running the latest version of the firmware and are protected with a strong password. They can also disable remote administration, change its default local IP address, and hardcode a trusted DNS server into the operating system network settings.

Bad news for consumers with Netgear routers: Two popular Netgear routers are vulnerable to a critical security bug that could allow attackers to run malicious code with root privileges.

Netgear's R7000 and R6400 routers, running current and latest versions of firmware, are vulnerable to arbitrary command injection attacks, though the number of users affected by the flaw is still unclear.

In an advisory published on Friday in Carnegie Mellon University's public vulnerability database (CERT), security researchers said that all an attacker needs to do is trick a victim into visiting a website that contains specially crafted malicious code to exploit the flaw.

As soon as the victim lands on the page, the malicious commands would execute automatically with root privileges on affected routers.

A working exploit leveraging the vulnerability has also been publicly released so that anyone can carry out attacks against the vulnerable routers.

Researchers warned that other router models might also be affected by the vulnerability, advising Netgear users to stop using the routers until a patch is released.

Your router could be compromised with no fixed release date for a patch. So, CERT strongly recommended Netgear users to "consider discontinuing use" of the affected routers until a patch is made available.

Hackers are increasingly targeting insecure, vulnerable routers with the purpose of making them part of nasty IoT botnets that are used to launch massive distributed denial-of-service (DDoS) attacks to knock online services offline.

Over a month ago, we saw Mirai Botnet taking entire Internet offline for few hours just by launching DDoS attacks (came from insecure IoT devices) against Dyn DNS service that crippled some of the world's biggest and most popular websites.

Just last week, nearly 1 Million users in Germany were also deprived of telephony, television, and Internet service after a supposed cyber-attack hijacked home broadband routers belonging to Deutsche Telekom.

Serious Flaws in Network Management System

A joint security dug conducted by Pedro Ribeiro (Security Researcher of UK Based firm Agile Information) along with CERT Committee divulged the vulnerabilities in the web interface of the router that could allow attackers to:

Upload and Execute any malicious file remotely (CVE-2016-1524)

Download any file from Server (CVE-2016-1525)

Unauthorized Arbitrary File Upload Flaw: This flaw comes with the default installation of NMS300, allowing an unauthorized attacker to upload an arbitrary file and execute (Remote Code Execution) malicious code with SYSTEM privileges.

The security vulnerabilities affect Netgear Management System NMS300, version 1.5.0.11 and earlier.

How to Protect Your Network from Hackers

Since there are no patches yet available from Netgear to fix these vulnerabilities, the only solution that network admins could implement here is strengthening the firewall policy by restricting the untrusted sources.

As threats continue to evolve and increase in volume and frequency, you can no longer rely on static network security monitoring.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

2. Angler Exploit Kit Campaign Generating $30 Million Took Down

Researchers took down a large ransomware campaign connected to the Angler Exploit Kit that was making an estimated $30 Million a year in revenue for hackers.

The hacker or group of hackers generating $30 Million annually is responsible for up to 50% of Angler Exploit Kit activity, which simply means that the rest of Angler kit business might be generating revenue of more than $60M annually for hackers worldwide.

4. How to Activate GodMode in Windows 10

God Mode – also known as 'Windows Master Control Panel Shortcut' – is an inbuilt, but hidden Windows' feature that provides additional customization options for the Microsoft’s newest operating system.

Enabling God Mode in Windows 10 essentially unlocks a backdoor of the operating system to access 260+ additional settings from a single folder.

5. British Agency Can Hack Any Smartphone With Just a Text Message

The British Intelligence Agency GCHQ has powers to hack any smartphone devices with just a text message, said the former NSA contractor and global surveillance whistleblower Edward Snowden.

According to Snowden, GCHQ have special tools that let it take over your smartphones with just a text message and there is "very little" you can do to prevent the spying agency having "total control" over your devices.

For the full interview of Edward Snowden with BBC investigative programme Panorama – Read more…

6. Kemoge: Latest Android Malware that Can Root Your Smartphone

A new strain of malware, dubbed 'Kemoge Malware', has made its debut as an Adware on Android devices, allowing third-party app stores to pilfer your device's information as well as take full control of it.

Kemoge is an Adware in the disguise of popular Android Apps. The malware is distributed in the names of popular apps, but actually repackages the malicious code that even has the capability to root victims’ phones, targeting a wide range of device models.

For more information on How does Kemoge Work and How to protect against it – Read more…

7. Microsoft Rewarded $24,000 Bounty to Hacker

Synack security researcher Wesley Wineberg won $24,000 from Microsoft for finding and reporting a critical flaw in Microsoft’s Live.com authentication system that could allow hackers to gain access to victims’ complete Outlook account or other Microsoft services.

Wineberg developed a ‘proof-of-concept’ exploit app, named 'Evil App', that allowed him to bypass Microsoft’s OAuth protection mechanism, effectively gaining access to everything in victim's account.

8. End of the Most Widely used SHA-1 Hash Algorithm

One of the Internet's widely adopted cryptographic hash function SHA-1 is counting its last breaths.

Researchers have claimed that SHA-1 is vulnerable to the Collision Attacks, which can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1.

For in-depth information on Collision attacks and how does it work – Read more…

9. Brute Force Amplification Attack Targeting WordPress Blogs

Security researchers have discovered a way to perform Amplified Brute Force attacks against WordPress' built-in XML-RPC feature in an effort to crack down administrator credentials.

XML-RPC protocol is used for securely exchanging data between computers across the Internet. It uses the system.multicall method that allows an application to execute multiple commands within one HTTP request.

The same method has been abused to amplify Brute Force attacks many times over by attempting hundreds of passwords within just one HTTP request, without been detected.